You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Ronnie <lo...@yahoo.com.sg> on 2003/08/01 18:34:57 UTC

FORM Login Bypassed

Hi!

I have this web application using FORM login access but I am having problem directing the navigation to the defined login page when user clicks on a secure link.

You see, I am using a DispatcherServlet as a navigation controller to direct users to the correct page and the URL is coded as:

    <a href="dispatcher?action=admin">admin</a>

Where "dispatcher" is the URL name of the DispatcherServlet. In the servlet, "admin" is translated to "/computers/admin/index.jsp" from values coded in web.xml.

Now when I declare the  protected url-pattern as "/computers/admin/*" as below, when I click on the above link the login page is bypassed and I can access the admin index page without logging in.

<security-constraint>
     <web-resource-collection>
        <web-resource-name>Administration functions</web-resource-name>
<!--        <url-pattern>dispatcher?action=admin</url-pattern>    Does not work! -->
        <url-pattern>/computers/admin/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <!-- Anyone with one of the listed roles may access this area -->
        <role-name>admin</role-name>
     </auth-constraint>

  <!-- HTTPS/SSL-->
     <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
  </security-constraint>

<login-config>
     <auth-method>FORM</auth-method>
   <form-login-config>
    <form-login-page>dispatcher?action=adminLogin</form-login-page>
   <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
  </form-login-config>
</login-config>

To overcome this I had to hardcode the link in my webpage as: <a href="/Computers/computers/admin/index.jsp">admin</a>

I wish to keep my navigation based on logical names. Is there a work-around or solution to this problem?



Regards,
Ronnie Choo
Singapore

Re: FORM Login Bypassed

Posted by Tim Funk <fu...@joedog.org>.

In your cases there is nothing preventing you from programmatic security.

I look at security the same way some db verndors do. I might not have access 
to any table, but I might be granted access to a table or view which may 
access those tables I am not allowed to directly see.

In the case of a monolithic traffic cop, that can still be fine depending on 
your architecture. In fact, I hope to do something similar where I have one 
apache instance with jk or mod_proxy installed and it farms out *all* 
requests to different tomcats depending on the URL namespace(directory). Then 
apache can handle SSL and any other decorators and each tomcat can perform 
additional constraints (container or programmatic) as needed.

If you are rewriting URL's on the fly - this usually is a recipe for pain in 
dev vs test vs production.

-Tim

Mike Curwen wrote:
> But what if you have a confederation (hmm... $20 word for the day) of
> components that all together act as your controller.  One main traffic
> cop controller out front that will invoke appropriate business logic in
> other controllers... those *other* controllers having the security
> constraints. More on that in my next comment.
> 
> 
> 
>>Adding a constraint to the incoming URL is not a big deal if 
>>one knows this constraint before coding a webapp. 
> 
> 
> But what about the case where the incoming URL is facading any number of
> requests for resources?  It's almost as though you shouldn't ever
> consider doing what Ronnie is doing (one monolithic traffic cop out
> front) because you can't protect access to a subset of resources, or
> have different users set up for different resources, etc, etc.  Is it an
> acceptable work-around to use sendRedirect() or is there a better
> pattern or 'best practice' recommendation?

Re: FORM Login Bypassed

Posted by Tim Funk <fu...@joedog.org>.

In your cases there is nothing preventing you from programmatic security.

I look at security the same way some db verndors do. I might not have access 
to any table, but I might be granted access to a table or view which may 
access those tables I am not allowed to directly see.

In the case of a monolithic traffic cop, that can still be fine depending on 
your architecture. In fact, I hope to do something similar where I have one 
apache instance with jk or mod_proxy installed and it farms out *all* 
requests to different tomcats depending on the URL namespace(directory). Then 
apache can handle SSL and any other decorators and each tomcat can perform 
additional constraints (container or programmatic) as needed.

If you are rewriting URL's on the fly - this usually is a recipe for pain in 
dev vs test vs production.

-Tim

Mike Curwen wrote:
> But what if you have a confederation (hmm... $20 word for the day) of
> components that all together act as your controller.  One main traffic
> cop controller out front that will invoke appropriate business logic in
> other controllers... those *other* controllers having the security
> constraints. More on that in my next comment.
> 
> 
> 
>>Adding a constraint to the incoming URL is not a big deal if 
>>one knows this constraint before coding a webapp. 
> 
> 
> But what about the case where the incoming URL is facading any number of
> requests for resources?  It's almost as though you shouldn't ever
> consider doing what Ronnie is doing (one monolithic traffic cop out
> front) because you can't protect access to a subset of resources, or
> have different users set up for different resources, etc, etc.  Is it an
> acceptable work-around to use sendRedirect() or is there a better
> pattern or 'best practice' recommendation? 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

RE: FORM Login Bypassed

Posted by Mike Curwen <gb...@gb-im.com>.

comments inline.

> -----Original Message-----
> From: Tim Funk [mailto:funkman@joedog.org] 
> Sent: Friday, August 01, 2003 1:32 PM
> To: Tomcat Users List
> Subject: Re: FORM Login Bypassed
> 
> 
> Security constraints are imposed on the incoming *client* 
> request and does 
> not apply for forwards and includes. This is true for 2.3 and 
> 2.4 is stated 
> in "SRV.12.2 Declarative Security"
> ===
> "The security model does not apply when a servlet uses the 
> RequestDispatcher 
> to invoke a static resource or servlet using a forward or an 
> include." ===

Thanks Tim, for covering my laziness today. I'd normally look through
the spec, but thought I'd leave it for someone else. ;)



> Adding constraints on forwards could be feasible but I don't 
> like it (IMO, 
> YMMV) since in an MVC style, your controller could go through 
> a lot of work 
> to set up the model only have the view deny access. This 

But what if you have a confederation (hmm... $20 word for the day) of
components that all together act as your controller.  One main traffic
cop controller out front that will invoke appropriate business logic in
other controllers... those *other* controllers having the security
constraints. More on that in my next comment.


> 
> Adding a constraint to the incoming URL is not a big deal if 
> one knows this constraint before coding a webapp. 

But what about the case where the incoming URL is facading any number of
requests for resources?  It's almost as though you shouldn't ever
consider doing what Ronnie is doing (one monolithic traffic cop out
front) because you can't protect access to a subset of resources, or
have different users set up for different resources, etc, etc.  Is it an
acceptable work-around to use sendRedirect() or is there a better
pattern or 'best practice' recommendation? 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

RE: FORM Login Bypassed

Posted by Mike Curwen <gb...@gb-im.com>.

comments inline.

> -----Original Message-----
> From: Tim Funk [mailto:funkman@joedog.org] 
> Sent: Friday, August 01, 2003 1:32 PM
> To: Tomcat Users List
> Subject: Re: FORM Login Bypassed
> 
> 
> Security constraints are imposed on the incoming *client* 
> request and does 
> not apply for forwards and includes. This is true for 2.3 and 
> 2.4 is stated 
> in "SRV.12.2 Declarative Security"
> ===
> "The security model does not apply when a servlet uses the 
> RequestDispatcher 
> to invoke a static resource or servlet using a forward or an 
> include." ===

Thanks Tim, for covering my laziness today. I'd normally look through
the spec, but thought I'd leave it for someone else. ;)



> Adding constraints on forwards could be feasible but I don't 
> like it (IMO, 
> YMMV) since in an MVC style, your controller could go through 
> a lot of work 
> to set up the model only have the view deny access. This 

But what if you have a confederation (hmm... $20 word for the day) of
components that all together act as your controller.  One main traffic
cop controller out front that will invoke appropriate business logic in
other controllers... those *other* controllers having the security
constraints. More on that in my next comment.


> 
> Adding a constraint to the incoming URL is not a big deal if 
> one knows this constraint before coding a webapp. 

But what about the case where the incoming URL is facading any number of
requests for resources?  It's almost as though you shouldn't ever
consider doing what Ronnie is doing (one monolithic traffic cop out
front) because you can't protect access to a subset of resources, or
have different users set up for different resources, etc, etc.  Is it an
acceptable work-around to use sendRedirect() or is there a better
pattern or 'best practice' recommendation?

Re: FORM Login Bypassed

Posted by Tim Funk <fu...@joedog.org>.

Security constraints are imposed on the incoming *client* request and does 
not apply for forwards and includes. This is true for 2.3 and 2.4 is stated 
in "SRV.12.2 Declarative Security"
===
"The security model does not apply when a servlet uses the RequestDispatcher 
to invoke a static resource or servlet using a forward or an include."
===

I don't think its possible to impose auth constraints for includes, it would 
contradict the spec. Since includes cannot set headers and host of other 
things, allowing this for authentication would be a PITA for implementors and 
break in many circumstances.

Adding constraints on forwards could be feasible but I don't like it (IMO, 
YMMV) since in an MVC style, your controller could go through a lot of work 
to set up the model only have the view deny access. This could cause a lot of 
confusion for developers.

Adding a constraint to the incoming URL is not a big deal if one knows this 
constraint before coding a webapp. But discovering this constraint after the 
webapp was created can make life miserable.

-Tim

Mike Curwen wrote:
> 
> But that's not quite the situation here...
>  
> It's still a request for a resource
> 
> 1.  request /dispatcher?page=fookey
> 2.  dispatcher translates fookey to /somepage/somewhere.jsp
> 3.  a request for /somepage/somewhere.jsp is made
> 4.  somepage/somewhere.jsp has a security constraint not being honoured.
>  
> And this is because security constraints are only checked for
> client-side requests, and not through forwarded or included requests
> (serverside). Filters currently act this way (the filter mappings are
> not honoured when server-side requests are made).  
>  
> Do you (or anyone else) think that AUTH mappings should be 'enhanced' as
> well, so that forwards/includes will be checked? (like Filters have
> changed for 2.4) 
>

Re: FORM Login Bypassed

Posted by Tim Funk <fu...@joedog.org>.

Security constraints are imposed on the incoming *client* request and does 
not apply for forwards and includes. This is true for 2.3 and 2.4 is stated 
in "SRV.12.2 Declarative Security"
===
"The security model does not apply when a servlet uses the RequestDispatcher 
to invoke a static resource or servlet using a forward or an include."
===

I don't think its possible to impose auth constraints for includes, it would 
contradict the spec. Since includes cannot set headers and host of other 
things, allowing this for authentication would be a PITA for implementors and 
break in many circumstances.

Adding constraints on forwards could be feasible but I don't like it (IMO, 
YMMV) since in an MVC style, your controller could go through a lot of work 
to set up the model only have the view deny access. This could cause a lot of 
confusion for developers.

Adding a constraint to the incoming URL is not a big deal if one knows this 
constraint before coding a webapp. But discovering this constraint after the 
webapp was created can make life miserable.

-Tim

Mike Curwen wrote:
> 
> But that's not quite the situation here...
>  
> It's still a request for a resource
> 
> 1.  request /dispatcher?page=fookey
> 2.  dispatcher translates fookey to /somepage/somewhere.jsp
> 3.  a request for /somepage/somewhere.jsp is made
> 4.  somepage/somewhere.jsp has a security constraint not being honoured.
>  
> And this is because security constraints are only checked for
> client-side requests, and not through forwarded or included requests
> (serverside). Filters currently act this way (the filter mappings are
> not honoured when server-side requests are made).  
>  
> Do you (or anyone else) think that AUTH mappings should be 'enhanced' as
> well, so that forwards/includes will be checked? (like Filters have
> changed for 2.4) 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

RE: FORM Login Bypassed

Posted by Mike Curwen <gb...@gb-im.com>.

Thanks Tim, your first sentence I think answers my question about "does
it indeed only work on client requests".

But that's not quite the situation here...
 
It's still a request for a resource

1.  request /dispatcher?page=fookey
2.  dispatcher translates fookey to /somepage/somewhere.jsp
3.  a request for /somepage/somewhere.jsp is made
4.  somepage/somewhere.jsp has a security constraint not being honoured.
 
And this is because security constraints are only checked for
client-side requests, and not through forwarded or included requests
(serverside). Filters currently act this way (the filter mappings are
not honoured when server-side requests are made).  
 
Do you (or anyone else) think that AUTH mappings should be 'enhanced' as
well, so that forwards/includes will be checked? (like Filters have
changed for 2.4) 




> -----Original Message-----
> From: Tim Funk [mailto:funkman@joedog.org] 
> Sent: Friday, August 01, 2003 11:52 AM
> To: Tomcat Users List
> Subject: Re: FORM Login Bypassed
> 
> 
> Security constraints are imposed on the incoming url.
> 
> Query strings are not used in servlet mapping declarations.
> 
> -Tim
> 
> 
> Ronnie wrote:
> > Hi!
> > 
> > I have this web application using FORM login access but I am having 
> > problem directing the navigation to the defined login page 
> when user 
> > clicks on a secure link.
> > 
> > You see, I am using a DispatcherServlet as a navigation 
> controller to 
> > direct users to the correct page and the URL is coded as:
> > 
> >     <a href="dispatcher?action=admin">admin</a>
> > 
> > Where "dispatcher" is the URL name of the DispatcherServlet. In the 
> > servlet, "admin" is translated to "/computers/admin/index.jsp" from 
> > values coded in web.xml.
> > 
> > Now when I declare the  protected url-pattern as 
> "/computers/admin/*" 
> > as below, when I click on the above link the login page is bypassed 
> > and I can access the admin index page without logging in.
> > 
> > <security-constraint>
> >      <web-resource-collection>
> >         <web-resource-name>Administration 
> functions</web-resource-name>
> > <!--        
> <url-pattern>dispatcher?action=admin</url-pattern>    Does 
> not work! -->
> >         <url-pattern>/computers/admin/*</url-pattern>
> >      </web-resource-collection>
> >      <auth-constraint>
> >         <!-- Anyone with one of the listed roles may access 
> this area -->
> >         <role-name>admin</role-name>
> >      </auth-constraint>
> > 
> >   <!-- HTTPS/SSL-->
> >      <user-data-constraint>
> >         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >      </user-data-constraint>
> >   </security-constraint>
> > 
> > <login-config>
> >      <auth-method>FORM</auth-method>
> >    <form-login-config>
> >     <form-login-page>dispatcher?action=adminLogin</form-login-page>
> >    
> <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
> >   </form-login-config>
> > </login-config>
> > 
> > To overcome this I had to hardcode the link in my webpage as: <a 
> > href="/Computers/computers/admin/index.jsp">admin</a>
> > 
> > I wish to keep my navigation based on logical names. Is there a 
> > work-around or solution to this problem?
> > 
> > 
> > 
> > Regards,
> > Ronnie Choo
> > Singapore
> > 
> > 
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

RE: FORM Login Bypassed

Posted by Mike Curwen <gb...@gb-im.com>.

Thanks Tim, your first sentence I think answers my question about "does
it indeed only work on client requests".

But that's not quite the situation here...
 
It's still a request for a resource

1.  request /dispatcher?page=fookey
2.  dispatcher translates fookey to /somepage/somewhere.jsp
3.  a request for /somepage/somewhere.jsp is made
4.  somepage/somewhere.jsp has a security constraint not being honoured.
 
And this is because security constraints are only checked for
client-side requests, and not through forwarded or included requests
(serverside). Filters currently act this way (the filter mappings are
not honoured when server-side requests are made).  
 
Do you (or anyone else) think that AUTH mappings should be 'enhanced' as
well, so that forwards/includes will be checked? (like Filters have
changed for 2.4) 




> -----Original Message-----
> From: Tim Funk [mailto:funkman@joedog.org] 
> Sent: Friday, August 01, 2003 11:52 AM
> To: Tomcat Users List
> Subject: Re: FORM Login Bypassed
> 
> 
> Security constraints are imposed on the incoming url.
> 
> Query strings are not used in servlet mapping declarations.
> 
> -Tim
> 
> 
> Ronnie wrote:
> > Hi!
> > 
> > I have this web application using FORM login access but I am having 
> > problem directing the navigation to the defined login page 
> when user 
> > clicks on a secure link.
> > 
> > You see, I am using a DispatcherServlet as a navigation 
> controller to 
> > direct users to the correct page and the URL is coded as:
> > 
> >     <a href="dispatcher?action=admin">admin</a>
> > 
> > Where "dispatcher" is the URL name of the DispatcherServlet. In the 
> > servlet, "admin" is translated to "/computers/admin/index.jsp" from 
> > values coded in web.xml.
> > 
> > Now when I declare the  protected url-pattern as 
> "/computers/admin/*" 
> > as below, when I click on the above link the login page is bypassed 
> > and I can access the admin index page without logging in.
> > 
> > <security-constraint>
> >      <web-resource-collection>
> >         <web-resource-name>Administration 
> functions</web-resource-name>
> > <!--        
> <url-pattern>dispatcher?action=admin</url-pattern>    Does 
> not work! -->
> >         <url-pattern>/computers/admin/*</url-pattern>
> >      </web-resource-collection>
> >      <auth-constraint>
> >         <!-- Anyone with one of the listed roles may access 
> this area -->
> >         <role-name>admin</role-name>
> >      </auth-constraint>
> > 
> >   <!-- HTTPS/SSL-->
> >      <user-data-constraint>
> >         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >      </user-data-constraint>
> >   </security-constraint>
> > 
> > <login-config>
> >      <auth-method>FORM</auth-method>
> >    <form-login-config>
> >     <form-login-page>dispatcher?action=adminLogin</form-login-page>
> >    
> <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
> >   </form-login-config>
> > </login-config>
> > 
> > To overcome this I had to hardcode the link in my webpage as: <a 
> > href="/Computers/computers/admin/index.jsp">admin</a>
> > 
> > I wish to keep my navigation based on logical names. Is there a 
> > work-around or solution to this problem?
> > 
> > 
> > 
> > Regards,
> > Ronnie Choo
> > Singapore
> > 
> > 
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>

Re: FORM Login Bypassed

Posted by Tim Funk <fu...@joedog.org>.

Security constraints are imposed on the incoming url.

Query strings are not used in servlet mapping declarations.

-Tim


Ronnie wrote:
> Hi!
> 
> I have this web application using FORM login access but I am having problem directing the navigation to the defined login page when user clicks on a secure link.
> 
> You see, I am using a DispatcherServlet as a navigation controller to direct users to the correct page and the URL is coded as:
> 
>     <a href="dispatcher?action=admin">admin</a>
> 
> Where "dispatcher" is the URL name of the DispatcherServlet. In the servlet, "admin" is translated to "/computers/admin/index.jsp" from values coded in web.xml.
> 
> Now when I declare the  protected url-pattern as "/computers/admin/*" as below, when I click on the above link the login page is bypassed and I can access the admin index page without logging in.
> 
> <security-constraint>
>      <web-resource-collection>
>         <web-resource-name>Administration functions</web-resource-name>
> <!--        <url-pattern>dispatcher?action=admin</url-pattern>    Does not work! -->
>         <url-pattern>/computers/admin/*</url-pattern>
>      </web-resource-collection>
>      <auth-constraint>
>         <!-- Anyone with one of the listed roles may access this area -->
>         <role-name>admin</role-name>
>      </auth-constraint>
> 
>   <!-- HTTPS/SSL-->
>      <user-data-constraint>
>         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>      </user-data-constraint>
>   </security-constraint>
> 
> <login-config>
>      <auth-method>FORM</auth-method>
>    <form-login-config>
>     <form-login-page>dispatcher?action=adminLogin</form-login-page>
>    <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
>   </form-login-config>
> </login-config>
> 
> To overcome this I had to hardcode the link in my webpage as: <a href="/Computers/computers/admin/index.jsp">admin</a>
> 
> I wish to keep my navigation based on logical names. Is there a work-around or solution to this problem?
> 
> 
> 
> Regards,
> Ronnie Choo
> Singapore
> 
> 
>

Re: FORM Login Bypassed

Posted by Tim Funk <fu...@joedog.org>.

Security constraints are imposed on the incoming url.

Query strings are not used in servlet mapping declarations.

-Tim


Ronnie wrote:
> Hi!
> 
> I have this web application using FORM login access but I am having problem directing the navigation to the defined login page when user clicks on a secure link.
> 
> You see, I am using a DispatcherServlet as a navigation controller to direct users to the correct page and the URL is coded as:
> 
>     <a href="dispatcher?action=admin">admin</a>
> 
> Where "dispatcher" is the URL name of the DispatcherServlet. In the servlet, "admin" is translated to "/computers/admin/index.jsp" from values coded in web.xml.
> 
> Now when I declare the  protected url-pattern as "/computers/admin/*" as below, when I click on the above link the login page is bypassed and I can access the admin index page without logging in.
> 
> <security-constraint>
>      <web-resource-collection>
>         <web-resource-name>Administration functions</web-resource-name>
> <!--        <url-pattern>dispatcher?action=admin</url-pattern>    Does not work! -->
>         <url-pattern>/computers/admin/*</url-pattern>
>      </web-resource-collection>
>      <auth-constraint>
>         <!-- Anyone with one of the listed roles may access this area -->
>         <role-name>admin</role-name>
>      </auth-constraint>
> 
>   <!-- HTTPS/SSL-->
>      <user-data-constraint>
>         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>      </user-data-constraint>
>   </security-constraint>
> 
> <login-config>
>      <auth-method>FORM</auth-method>
>    <form-login-config>
>     <form-login-page>dispatcher?action=adminLogin</form-login-page>
>    <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
>   </form-login-config>
> </login-config>
> 
> To overcome this I had to hardcode the link in my webpage as: <a href="/Computers/computers/admin/index.jsp">admin</a>
> 
> I wish to keep my navigation based on logical names. Is there a work-around or solution to this problem?
> 
> 
> 
> Regards,
> Ronnie Choo
> Singapore
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

RE: FORM Login Bypassed

Posted by Mike Curwen <gb...@gb-im.com>.

the sendRedirect() method is on the response object. Another method of
interest will be the encodeRedirectURL() so that non-cookie users can
still use your site.
 
Something like:

resource = "somepage/somewhere.jsp";
response.sendRedirect(response.encodeRedirectURL(resource));




> -----Original Message-----
> From: Ronnie [mailto:lormee2001@yahoo.com.sg] 
> Sent: Friday, August 01, 2003 11:59 AM
> To: Tomcat Users List
> Subject: Re: FORM Login Bypassed
> 
> 
> 
> ----- Original Message -----
> From: "Mike Curwen" <gb...@gb-im.com>
> To: "'Tomcat Users List'" <to...@jakarta.apache.org>
> Sent: Saturday, August 02, 2003 12:45 AM
> Subject: RE: FORM Login Bypassed
> 
> 
> > When your dispatcher does the translation, does it forward 
> or include 
> > the 'actual' resource ?  Meaning it takes place entirely 
> server-side ?
> 
> This is how I dispatched it:
> 
>       RequestDispatcher rd = request.getRequestDispatcher(resource);
> 
>       // Forward resource, resource is the URL. IE: 
> "/computers/admin/index.jsp"
>       try {
>          rd.forward(request, response);
>       } catch (ServletException e) {...}
> 
> > If you did a sendRedirect, that would then make the browser request 
> > the protected resource directly, which would invoke the 
> AUTH, if the 
> > AUTH is configured correctly. And it looks right to me.
> 
> How do you do a sendRedirect? Sorry, I'm still quite green in 
> servlet programming...
> 
> > What it sounds like is that once you are on the server-side (by 
> > requesting the un-protected /dispatcher resource) that any 
> server-side 
> > forwards or includes are not being authenticated.  I wasn't 
> aware that 
> > was the case.
> >
> > It works this way for filters though, but in the next servlet spec 
> > (2.4) we'll have filter mappings being honoured for forwards and 
> > includes as well (configurable).
> 
> Thanks alot for the help and info!
> 
> >
> > > -----Original Message-----
> > > From: Ronnie [mailto:lormee2001@yahoo.com.sg]
> > > Sent: Friday, August 01, 2003 11:35 AM
> > > To: tomcat-user@jakarta.apache.org
> > > Subject: FORM Login Bypassed
> > >
> > >
> > > Hi!
> > >
> > > I have this web application using FORM login access but I 
> am having 
> > > problem directing the navigation to the defined login 
> page when user 
> > > clicks on a secure link.
> > >
> > > You see, I am using a DispatcherServlet as a navigation 
> controller 
> > > to direct users to the correct page and the URL is coded as:
> > >
> > >     <a href="dispatcher?action=admin">admin</a>
> > >
> > > Where "dispatcher" is the URL name of the 
> DispatcherServlet. In the 
> > > servlet, "admin" is translated to 
> "/computers/admin/index.jsp" from 
> > > values coded in web.xml.
> > >
> > > Now when I declare the  protected url-pattern as 
> > > "/computers/admin/*" as below, when I click on the above link the 
> > > login page is bypassed and I can access the admin index 
> page without 
> > > logging in.
> > >
> > > <security-constraint>
> > >      <web-resource-collection>
> > >         <web-resource-name>Administration 
> > > functions</web-resource-name>
> > > <!--
> > > <url-pattern>dispatcher?action=admin</url-pattern>    Does
> > > not work! -->
> > >         <url-pattern>/computers/admin/*</url-pattern>
> > >      </web-resource-collection>
> > >      <auth-constraint>
> > >         <!-- Anyone with one of the listed roles may access this 
> > > area -->
> > >         <role-name>admin</role-name>
> > >      </auth-constraint>
> > >
> > >   <!-- HTTPS/SSL-->
> > >      <user-data-constraint>
> > >         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > >      </user-data-constraint>
> > >   </security-constraint>
> > >
> > > <login-config>
> > >      <auth-method>FORM</auth-method>
> > >    <form-login-config>
> > >     
> <form-login-page>dispatcher?action=adminLogin</form-login-page>
> > >    
> <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
> > >   </form-login-config>
> > > </login-config>
> > >
> > > To overcome this I had to hardcode the link in my webpage as: <a 
> > > href="/Computers/computers/admin/index.jsp">admin</a>
> > >
> > > I wish to keep my navigation based on logical names. Is there a 
> > > work-around or solution to this problem?
> > >
> > >
> > >
> > > Regards,
> > > Ronnie Choo
> > > Singapore
> > >
> > >
> > >
> >
> >
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

RE: FORM Login Bypassed

Posted by Mike Curwen <gb...@gb-im.com>.

the sendRedirect() method is on the response object. Another method of
interest will be the encodeRedirectURL() so that non-cookie users can
still use your site.
 
Something like:

resource = "somepage/somewhere.jsp";
response.sendRedirect(response.encodeRedirectURL(resource));




> -----Original Message-----
> From: Ronnie [mailto:lormee2001@yahoo.com.sg] 
> Sent: Friday, August 01, 2003 11:59 AM
> To: Tomcat Users List
> Subject: Re: FORM Login Bypassed
> 
> 
> 
> ----- Original Message -----
> From: "Mike Curwen" <gb...@gb-im.com>
> To: "'Tomcat Users List'" <to...@jakarta.apache.org>
> Sent: Saturday, August 02, 2003 12:45 AM
> Subject: RE: FORM Login Bypassed
> 
> 
> > When your dispatcher does the translation, does it forward 
> or include 
> > the 'actual' resource ?  Meaning it takes place entirely 
> server-side ?
> 
> This is how I dispatched it:
> 
>       RequestDispatcher rd = request.getRequestDispatcher(resource);
> 
>       // Forward resource, resource is the URL. IE: 
> "/computers/admin/index.jsp"
>       try {
>          rd.forward(request, response);
>       } catch (ServletException e) {...}
> 
> > If you did a sendRedirect, that would then make the browser request 
> > the protected resource directly, which would invoke the 
> AUTH, if the 
> > AUTH is configured correctly. And it looks right to me.
> 
> How do you do a sendRedirect? Sorry, I'm still quite green in 
> servlet programming...
> 
> > What it sounds like is that once you are on the server-side (by 
> > requesting the un-protected /dispatcher resource) that any 
> server-side 
> > forwards or includes are not being authenticated.  I wasn't 
> aware that 
> > was the case.
> >
> > It works this way for filters though, but in the next servlet spec 
> > (2.4) we'll have filter mappings being honoured for forwards and 
> > includes as well (configurable).
> 
> Thanks alot for the help and info!
> 
> >
> > > -----Original Message-----
> > > From: Ronnie [mailto:lormee2001@yahoo.com.sg]
> > > Sent: Friday, August 01, 2003 11:35 AM
> > > To: tomcat-user@jakarta.apache.org
> > > Subject: FORM Login Bypassed
> > >
> > >
> > > Hi!
> > >
> > > I have this web application using FORM login access but I 
> am having 
> > > problem directing the navigation to the defined login 
> page when user 
> > > clicks on a secure link.
> > >
> > > You see, I am using a DispatcherServlet as a navigation 
> controller 
> > > to direct users to the correct page and the URL is coded as:
> > >
> > >     <a href="dispatcher?action=admin">admin</a>
> > >
> > > Where "dispatcher" is the URL name of the 
> DispatcherServlet. In the 
> > > servlet, "admin" is translated to 
> "/computers/admin/index.jsp" from 
> > > values coded in web.xml.
> > >
> > > Now when I declare the  protected url-pattern as 
> > > "/computers/admin/*" as below, when I click on the above link the 
> > > login page is bypassed and I can access the admin index 
> page without 
> > > logging in.
> > >
> > > <security-constraint>
> > >      <web-resource-collection>
> > >         <web-resource-name>Administration 
> > > functions</web-resource-name>
> > > <!--
> > > <url-pattern>dispatcher?action=admin</url-pattern>    Does
> > > not work! -->
> > >         <url-pattern>/computers/admin/*</url-pattern>
> > >      </web-resource-collection>
> > >      <auth-constraint>
> > >         <!-- Anyone with one of the listed roles may access this 
> > > area -->
> > >         <role-name>admin</role-name>
> > >      </auth-constraint>
> > >
> > >   <!-- HTTPS/SSL-->
> > >      <user-data-constraint>
> > >         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > >      </user-data-constraint>
> > >   </security-constraint>
> > >
> > > <login-config>
> > >      <auth-method>FORM</auth-method>
> > >    <form-login-config>
> > >     
> <form-login-page>dispatcher?action=adminLogin</form-login-page>
> > >    
> <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
> > >   </form-login-config>
> > > </login-config>
> > >
> > > To overcome this I had to hardcode the link in my webpage as: <a 
> > > href="/Computers/computers/admin/index.jsp">admin</a>
> > >
> > > I wish to keep my navigation based on logical names. Is there a 
> > > work-around or solution to this problem?
> > >
> > >
> > >
> > > Regards,
> > > Ronnie Choo
> > > Singapore
> > >
> > >
> > >
> >
> >
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>

Re: FORM Login Bypassed

Posted by Ronnie <lo...@yahoo.com.sg>.

----- Original Message -----
From: "Mike Curwen" <gb...@gb-im.com>
To: "'Tomcat Users List'" <to...@jakarta.apache.org>
Sent: Saturday, August 02, 2003 12:45 AM
Subject: RE: FORM Login Bypassed


> When your dispatcher does the translation, does it forward or include
> the 'actual' resource ?  Meaning it takes place entirely server-side ?

This is how I dispatched it:

      RequestDispatcher rd = request.getRequestDispatcher(resource);

      // Forward resource, resource is the URL. IE:
"/computers/admin/index.jsp"
      try {
         rd.forward(request, response);
      } catch (ServletException e) {...}

> If you did a sendRedirect, that would then make the browser request the
> protected resource directly, which would invoke the AUTH, if the AUTH is
> configured correctly. And it looks right to me.

How do you do a sendRedirect? Sorry, I'm still quite green in servlet
programming...

> What it sounds like is that once you are on the server-side (by
> requesting the un-protected /dispatcher resource) that any server-side
> forwards or includes are not being authenticated.  I wasn't aware that
> was the case.
>
> It works this way for filters though, but in the next servlet spec (2.4)
> we'll have filter mappings being honoured for forwards and includes as
> well (configurable).

Thanks alot for the help and info!

>
> > -----Original Message-----
> > From: Ronnie [mailto:lormee2001@yahoo.com.sg]
> > Sent: Friday, August 01, 2003 11:35 AM
> > To: tomcat-user@jakarta.apache.org
> > Subject: FORM Login Bypassed
> >
> >
> > Hi!
> >
> > I have this web application using FORM login access but I am
> > having problem directing the navigation to the defined login
> > page when user clicks on a secure link.
> >
> > You see, I am using a DispatcherServlet as a navigation
> > controller to direct users to the correct page and the URL is
> > coded as:
> >
> >     <a href="dispatcher?action=admin">admin</a>
> >
> > Where "dispatcher" is the URL name of the DispatcherServlet.
> > In the servlet, "admin" is translated to
> > "/computers/admin/index.jsp" from values coded in web.xml.
> >
> > Now when I declare the  protected url-pattern as
> > "/computers/admin/*" as below, when I click on the above link
> > the login page is bypassed and I can access the admin index
> > page without logging in.
> >
> > <security-constraint>
> >      <web-resource-collection>
> >         <web-resource-name>Administration
> > functions</web-resource-name>
> > <!--
> > <url-pattern>dispatcher?action=admin</url-pattern>    Does
> > not work! -->
> >         <url-pattern>/computers/admin/*</url-pattern>
> >      </web-resource-collection>
> >      <auth-constraint>
> >         <!-- Anyone with one of the listed roles may access
> > this area -->
> >         <role-name>admin</role-name>
> >      </auth-constraint>
> >
> >   <!-- HTTPS/SSL-->
> >      <user-data-constraint>
> >         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >      </user-data-constraint>
> >   </security-constraint>
> >
> > <login-config>
> >      <auth-method>FORM</auth-method>
> >    <form-login-config>
> >     <form-login-page>dispatcher?action=adminLogin</form-login-page>
> >    <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
> >   </form-login-config>
> > </login-config>
> >
> > To overcome this I had to hardcode the link in my webpage as:
> > <a href="/Computers/computers/admin/index.jsp">admin</a>
> >
> > I wish to keep my navigation based on logical names. Is there
> > a work-around or solution to this problem?
> >
> >
> >
> > Regards,
> > Ronnie Choo
> > Singapore
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>

Re: FORM Login Bypassed

Posted by Ronnie <lo...@yahoo.com.sg>.

----- Original Message -----
From: "Mike Curwen" <gb...@gb-im.com>
To: "'Tomcat Users List'" <to...@jakarta.apache.org>
Sent: Saturday, August 02, 2003 12:45 AM
Subject: RE: FORM Login Bypassed


> When your dispatcher does the translation, does it forward or include
> the 'actual' resource ?  Meaning it takes place entirely server-side ?

This is how I dispatched it:

      RequestDispatcher rd = request.getRequestDispatcher(resource);

      // Forward resource, resource is the URL. IE:
"/computers/admin/index.jsp"
      try {
         rd.forward(request, response);
      } catch (ServletException e) {...}

> If you did a sendRedirect, that would then make the browser request the
> protected resource directly, which would invoke the AUTH, if the AUTH is
> configured correctly. And it looks right to me.

How do you do a sendRedirect? Sorry, I'm still quite green in servlet
programming...

> What it sounds like is that once you are on the server-side (by
> requesting the un-protected /dispatcher resource) that any server-side
> forwards or includes are not being authenticated.  I wasn't aware that
> was the case.
>
> It works this way for filters though, but in the next servlet spec (2.4)
> we'll have filter mappings being honoured for forwards and includes as
> well (configurable).

Thanks alot for the help and info!

>
> > -----Original Message-----
> > From: Ronnie [mailto:lormee2001@yahoo.com.sg]
> > Sent: Friday, August 01, 2003 11:35 AM
> > To: tomcat-user@jakarta.apache.org
> > Subject: FORM Login Bypassed
> >
> >
> > Hi!
> >
> > I have this web application using FORM login access but I am
> > having problem directing the navigation to the defined login
> > page when user clicks on a secure link.
> >
> > You see, I am using a DispatcherServlet as a navigation
> > controller to direct users to the correct page and the URL is
> > coded as:
> >
> >     <a href="dispatcher?action=admin">admin</a>
> >
> > Where "dispatcher" is the URL name of the DispatcherServlet.
> > In the servlet, "admin" is translated to
> > "/computers/admin/index.jsp" from values coded in web.xml.
> >
> > Now when I declare the  protected url-pattern as
> > "/computers/admin/*" as below, when I click on the above link
> > the login page is bypassed and I can access the admin index
> > page without logging in.
> >
> > <security-constraint>
> >      <web-resource-collection>
> >         <web-resource-name>Administration
> > functions</web-resource-name>
> > <!--
> > <url-pattern>dispatcher?action=admin</url-pattern>    Does
> > not work! -->
> >         <url-pattern>/computers/admin/*</url-pattern>
> >      </web-resource-collection>
> >      <auth-constraint>
> >         <!-- Anyone with one of the listed roles may access
> > this area -->
> >         <role-name>admin</role-name>
> >      </auth-constraint>
> >
> >   <!-- HTTPS/SSL-->
> >      <user-data-constraint>
> >         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >      </user-data-constraint>
> >   </security-constraint>
> >
> > <login-config>
> >      <auth-method>FORM</auth-method>
> >    <form-login-config>
> >     <form-login-page>dispatcher?action=adminLogin</form-login-page>
> >    <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
> >   </form-login-config>
> > </login-config>
> >
> > To overcome this I had to hardcode the link in my webpage as:
> > <a href="/Computers/computers/admin/index.jsp">admin</a>
> >
> > I wish to keep my navigation based on logical names. Is there
> > a work-around or solution to this problem?
> >
> >
> >
> > Regards,
> > Ronnie Choo
> > Singapore
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

RE: FORM Login Bypassed

Posted by Mike Curwen <gb...@gb-im.com>.

When your dispatcher does the translation, does it forward or include
the 'actual' resource ?  Meaning it takes place entirely server-side ?
If you did a sendRedirect, that would then make the browser request the
protected resource directly, which would invoke the AUTH, if the AUTH is
configured correctly. And it looks right to me.
 
What it sounds like is that once you are on the server-side (by
requesting the un-protected /dispatcher resource) that any server-side
forwards or includes are not being authenticated.  I wasn't aware that
was the case.
 
It works this way for filters though, but in the next servlet spec (2.4)
we'll have filter mappings being honoured for forwards and includes as
well (configurable).  


> -----Original Message-----
> From: Ronnie [mailto:lormee2001@yahoo.com.sg] 
> Sent: Friday, August 01, 2003 11:35 AM
> To: tomcat-user@jakarta.apache.org
> Subject: FORM Login Bypassed
> 
> 
> Hi!
> 
> I have this web application using FORM login access but I am 
> having problem directing the navigation to the defined login 
> page when user clicks on a secure link.
> 
> You see, I am using a DispatcherServlet as a navigation 
> controller to direct users to the correct page and the URL is 
> coded as:
> 
>     <a href="dispatcher?action=admin">admin</a>
> 
> Where "dispatcher" is the URL name of the DispatcherServlet. 
> In the servlet, "admin" is translated to 
> "/computers/admin/index.jsp" from values coded in web.xml.
> 
> Now when I declare the  protected url-pattern as 
> "/computers/admin/*" as below, when I click on the above link 
> the login page is bypassed and I can access the admin index 
> page without logging in.
> 
> <security-constraint>
>      <web-resource-collection>
>         <web-resource-name>Administration 
> functions</web-resource-name>
> <!--        
> <url-pattern>dispatcher?action=admin</url-pattern>    Does 
> not work! -->
>         <url-pattern>/computers/admin/*</url-pattern>
>      </web-resource-collection>
>      <auth-constraint>
>         <!-- Anyone with one of the listed roles may access 
> this area -->
>         <role-name>admin</role-name>
>      </auth-constraint>
> 
>   <!-- HTTPS/SSL-->
>      <user-data-constraint>
>         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>      </user-data-constraint>
>   </security-constraint>
> 
> <login-config>
>      <auth-method>FORM</auth-method>
>    <form-login-config>
>     <form-login-page>dispatcher?action=adminLogin</form-login-page>
>    <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
>   </form-login-config>
> </login-config>
> 
> To overcome this I had to hardcode the link in my webpage as: 
> <a href="/Computers/computers/admin/index.jsp">admin</a>
> 
> I wish to keep my navigation based on logical names. Is there 
> a work-around or solution to this problem?
> 
> 
> 
> Regards,
> Ronnie Choo
> Singapore
> 
> 
>

RE: FORM Login Bypassed

Posted by Mike Curwen <gb...@gb-im.com>.

When your dispatcher does the translation, does it forward or include
the 'actual' resource ?  Meaning it takes place entirely server-side ?
If you did a sendRedirect, that would then make the browser request the
protected resource directly, which would invoke the AUTH, if the AUTH is
configured correctly. And it looks right to me.
 
What it sounds like is that once you are on the server-side (by
requesting the un-protected /dispatcher resource) that any server-side
forwards or includes are not being authenticated.  I wasn't aware that
was the case.
 
It works this way for filters though, but in the next servlet spec (2.4)
we'll have filter mappings being honoured for forwards and includes as
well (configurable).  


> -----Original Message-----
> From: Ronnie [mailto:lormee2001@yahoo.com.sg] 
> Sent: Friday, August 01, 2003 11:35 AM
> To: tomcat-user@jakarta.apache.org
> Subject: FORM Login Bypassed
> 
> 
> Hi!
> 
> I have this web application using FORM login access but I am 
> having problem directing the navigation to the defined login 
> page when user clicks on a secure link.
> 
> You see, I am using a DispatcherServlet as a navigation 
> controller to direct users to the correct page and the URL is 
> coded as:
> 
>     <a href="dispatcher?action=admin">admin</a>
> 
> Where "dispatcher" is the URL name of the DispatcherServlet. 
> In the servlet, "admin" is translated to 
> "/computers/admin/index.jsp" from values coded in web.xml.
> 
> Now when I declare the  protected url-pattern as 
> "/computers/admin/*" as below, when I click on the above link 
> the login page is bypassed and I can access the admin index 
> page without logging in.
> 
> <security-constraint>
>      <web-resource-collection>
>         <web-resource-name>Administration 
> functions</web-resource-name>
> <!--        
> <url-pattern>dispatcher?action=admin</url-pattern>    Does 
> not work! -->
>         <url-pattern>/computers/admin/*</url-pattern>
>      </web-resource-collection>
>      <auth-constraint>
>         <!-- Anyone with one of the listed roles may access 
> this area -->
>         <role-name>admin</role-name>
>      </auth-constraint>
> 
>   <!-- HTTPS/SSL-->
>      <user-data-constraint>
>         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>      </user-data-constraint>
>   </security-constraint>
> 
> <login-config>
>      <auth-method>FORM</auth-method>
>    <form-login-config>
>     <form-login-page>dispatcher?action=adminLogin</form-login-page>
>    <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
>   </form-login-config>
> </login-config>
> 
> To overcome this I had to hardcode the link in my webpage as: 
> <a href="/Computers/computers/admin/index.jsp">admin</a>
> 
> I wish to keep my navigation based on logical names. Is there 
> a work-around or solution to this problem?
> 
> 
> 
> Regards,
> Ronnie Choo
> Singapore
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org